NIS2: mandatory compliance, scope and deadlines

  • What is the NIS2 policy?
  • Published by: André Hammer on Apr 03, 2024
Group classes

For organisations within scope, NIS2 sets mandatory EU cybersecurity requirements once the directive has been transposed and enforced through the relevant national law.

The short answer is therefore yes, but with two important conditions. NIS2 is an EU directive rather than a regulation, so it requires each EU Member State to implement it through national law; and an organisation’s duties depend on whether it is classed as an essential or important entity under the directive and the relevant national implementation.

That distinction matters because NIS2 is not a general cybersecurity law for every business. It targets organisations in specified sectors whose services are important to society, the economy, public administration, digital infrastructure or supply chains. The practical question is not “does the business use technology?” but “does the organisation provide a covered service, at a covered scale, in or to the EU?”

What NIS2 makes mandatory

NIS2 replaces and expands the original Network and Information Security Directive. Its purpose is to raise the cybersecurity baseline across the EU by requiring in-scope entities to manage cyber risk, report significant incidents, secure supply chains, and ensure management oversight of cybersecurity controls.

The directive does not prescribe a single technical toolset. Instead, it expects organisations to operate proportionate risk management measures covering areas such as incident handling, business continuity, crisis management, supply-chain security, vulnerability handling, access control, encryption where appropriate, and policies for assessing cybersecurity effectiveness. In practice, this pushes NIS2 work beyond the IT department because procurement, legal, operations, risk management and senior leadership all have responsibilities that influence compliance.

Authoritative interpretation should start with the NIS2 Directive text itself, especially the scope provisions and Articles 20 to 23 on governance, risk management and incident reporting. ENISA guidance and national CSIRT or competent authority portals then provide the country-specific operational detail that organisations need once national laws are in force.

Who is in scope under NIS2?

NIS2 applies mainly to medium and large organisations in sectors listed in Annex I and Annex II of the directive. The common size-cap rule captures organisations with at least 50 employees and either annual turnover or annual balance sheet total of at least €10 million, although national law and sector-specific designation can affect the final position.

Annex I covers sectors of high criticality, including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management for business-to-business services, public administration and space. Annex II covers other critical sectors, including postal and courier services, waste management, certain manufacturing activities, chemicals, food, digital providers and research organisations.

A practical scoping review usually starts with four questions:

  1. Is the organisation medium or large under the EU size thresholds?
  2. Does it operate in an Annex I or Annex II sector?
  3. Is there an exception that brings it into scope regardless of size, such as certain trust service providers, DNS service providers, top-level domain name registries or nationally designated critical entities?
  4. Does it provide covered services into the EU from outside the EU?

If the answer to the sector, exception or EU-service question is yes, the organisation should treat NIS2 applicability as a serious likelihood until it has checked the relevant national implementing law. The small-entity exemption is also easy to overread: micro and small enterprises are often outside the default scope, but NIS2 contains specific exceptions where smaller providers can still be covered because their services are systemically important.

Essential and important entities are treated differently

NIS2 divides covered organisations into essential entities and important entities. Essential entities generally include larger organisations in Annex I sectors and certain designated critical providers, while important entities include many organisations in Annex II sectors and some medium-sized Annex I organisations. The precise classification depends on the directive, national transposition and any designation by the competent authority.

The difference is not merely a label. Essential entities face more proactive supervision, which may include audits, inspections and requests for evidence before an incident has occurred. Important entities are generally supervised more reactively, often after evidence of non-compliance or following an incident, although they still have binding obligations.

The penalty tiers also differ. Member States can set detailed enforcement processes in national law, so organisations should confirm how those powers have been implemented in each relevant jurisdiction.

When NIS2 applies and why national law matters

EU Member States were required to transpose NIS2 into national law by 17 October 2024. From that point, the practical enforcement timetable depends on each Member State’s legislation, registration processes, regulator readiness and sector-specific guidance.

This is one reason a single EU-wide answer can be misleading. A multinational organisation may need to map entities, services and locations against several national regimes, especially where it operates infrastructure in one country, provides digital services in another, and has customers across the EU. Even where the directive wording is common, reporting channels, supervisory authorities, registration obligations and evidence expectations can differ.

Non-EU organisations should also avoid assuming NIS2 is irrelevant. Certain providers offering covered services into the EU can be brought within scope and may need to appoint an EU representative. This extra-territorial reach is particularly relevant for digital infrastructure and digital service providers whose legal headquarters sit outside the EU but whose services are used by EU customers.

Incident reporting deadlines under NIS2

NIS2 creates staged reporting obligations for significant incidents. The first stage is an early warning to the competent authority or CSIRT without undue delay and, where applicable, within 24 hours of becoming aware of the incident. This warning is intended to flag whether the incident is suspected to be unlawful or malicious and whether it could have cross-border impact.

The second stage is an incident notification without undue delay and, where applicable, within 72 hours of becoming aware of the incident. This notification should update the initial information and provide an initial assessment of severity, impact and indicators of compromise where available. A final report is then due no later than one month after the incident notification, setting out the incident description, cause or likely cause, mitigation measures and cross-border impact where relevant.

These timeframes change how organisations should prepare. Incident response plans must define who can classify a NIS2-reportable incident, who can approve notifications, what evidence is needed, and how legal, communications and technical teams coordinate under pressure. The directive also allows voluntary reporting of certain cyber threats, which can help authorities build situational awareness even where the mandatory incident threshold is not met.

Governance, supply chain and management accountability

NIS2 makes management accountability explicit. Management bodies are expected to approve cybersecurity risk management measures, oversee their implementation and be able to understand the cyber risks affecting the organisation. In serious cases, national authorities may be able to impose supervisory measures affecting responsible individuals, including temporary bans from exercising management functions where national law provides for such measures.

Supply-chain security is another central change. Organisations cannot treat third-party technology providers, managed service providers, logistics partners or critical software suppliers as peripheral risks. Contracts, onboarding controls, assurance processes and incident-notification duties need to reflect the importance of the supplier to the covered service.

A frequent implementation mistake is to treat NIS2 as a tooling project. Security monitoring, vulnerability management and incident response technology may be necessary, but the directive also expects governance, documented decision-making, supplier oversight, reporting rehearsals and management involvement. Other common errors include conflating NIS2 with GDPR or anti-money-laundering duties, assuming all small entities are exempt, overlooking non-EU service provision into the EU, and waiting for a major incident before testing the 24-hour and 72-hour reporting process.

NIS2 and the UK are separate regimes

NIS2 does not apply directly in the UK because the UK is no longer an EU Member State. UK organisations are instead subject to the UK Network and Information Systems Regulations 2018 where those regulations apply, along with any future UK reforms to that regime.

The separation does not mean UK-based organisations can ignore NIS2. A UK provider offering covered services into the EU may need to assess whether an EU Member State can designate it, whether an EU representative is required, and whether customer contracts require NIS2-aligned controls. Organisations operating in both markets should keep the regimes distinct rather than merging UK NIS, EU NIS2, GDPR and sector rules into a single undifferentiated compliance label.

How to assess readiness without turning NIS2 into paperwork

A useful readiness assessment begins with scope, not controls. Organisations should identify legal entities, services, sectors, countries, size thresholds, critical dependencies and customer locations before investing heavily in remediation work. This prevents effort being spent on the wrong entity, the wrong regulator or the wrong reporting route.

Once scope is clear, the next step is to compare current practice against the directive’s operational expectations. That means checking whether incident reporting can operate within the required timeframes, whether management can evidence oversight, whether supplier risk is tiered by operational criticality, and whether business continuity arrangements are tested rather than merely documented.

Some organisations use structured training to help compliance, security and operational teams build a shared interpretation of the directive. Readynez covers this through its NIS 2 Directive Lead Implementer course, while related governance and audit skills can be explored through ISACA training options. The value of any training is strongest when it is connected to an actual scope assessment, incident-reporting workflow and supplier-risk review.

Turning NIS2 obligations into operational practice

NIS2 is mandatory for organisations that fall within its EU scope, but compliance depends on sector, size, entity classification, national implementation and whether covered services are provided into the EU. The safest starting point is a documented applicability assessment, followed by practical work on governance, incident reporting, supply-chain controls and evidence that management oversight is active.

Teams that need a structured way to develop cybersecurity and compliance skills can also consider security training options or contact the team to discuss which learning route fits their NIS2 responsibilities. The key takeaway is that NIS2 readiness should be treated as an operating model issue, not a last-minute documentation exercise.

FAQ

Is NIS2 mandatory?

Yes. NIS2 is mandatory for organisations that fall within its scope once the relevant EU Member State has implemented it through national law. It applies to covered essential and important entities, not automatically to every organisation.

Does NIS2 apply to small businesses?

Many micro and small enterprises are outside the default scope, but there are important exceptions. Some smaller entities can still be covered if they provide services such as trust services, DNS services or top-level domain registry services, or if they are designated as critical under national rules.

What are the main NIS2 reporting deadlines?

For significant incidents, NIS2 sets a staged process: an early warning within 24 hours where applicable, an incident notification within 72 hours where applicable, and a final report within one month of the incident notification. National portals and competent authority guidance explain how reports must be submitted in each country.

What are the penalties for NIS2 non-compliance?

Supervisory measures and management accountability provisions may also apply under national law.

Does NIS2 apply in the UK?

NIS2 does not apply directly in the UK. The UK has its own Network and Information Systems Regulations 2018, although UK organisations that provide covered services into the EU may still need to assess EU NIS2 obligations.

Two people monitoring systems for security breaches

Unlimited Security Training

Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's

Basket

{{item.CourseTitle}}

Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}